Bugtraq mailing list archives
Re: [HERT] Advisory #002 Buffer overflow in lsof
From: woods () UCAR EDU (Greg Woods)
Date: Fri, 19 Feb 1999 14:03:35 -0700
People who publish bugs/exploits that are not being actively exploited *before* giving the vendor a chance to fix the flaws are clearly grandstanding. They're part of the problem -- not the solution.The REAL problem is software package maintainers who do not proactively audit their software.
These are not mutually exclusive positions, but the former argument gets more sympathy from me. In any reasonably complex software package, it is possible to miss a flaw no matter how carefully you audit your code. The measure of a good software vendor (or author) is not whether their code is 100% free of flaws (none is), but how they respond when flaws are discovered. In the case of a security flaw, revealing such a flaw before a fix is in place, especially if the revelation comes complete with an exploit script that makes anyone capable of exploiting the flaw with zero effort, is irresponsible behavior. If someone who finds a flaw is primarily concerned with minimizing the damage from such a flaw, then it makes sense to contact the author *first*. and at least give the author a *chance* to provide a fix. Someone who doesn't do this, and instead goes public with how much he knows before anyone in a position to fix the problem is informed, is more concerned with his own glory than in getting the problem fixed. I.e., he is grandstanding. --Greg
Current thread:
- Re: [HERT] Advisory #002 Buffer overflow in lsof, (continued)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Gene Spafford (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Theo de Raadt (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Gene Spafford (Feb 18)
- IE0199.exe uninstaller David Brumley (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Weld Pond (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Valdis.Kletnieks () VT EDU (Feb 19)
- Plaintext Password in Tractive's Remote Manager Software Trevor Gryffyn (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Peter W (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof John DiMarco (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof brian j pardy (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Greg Woods (Feb 19)
- Re: [HERT] Advisory #002 Buffer overflow in lsof route () RESENTMENT INFONEXUS COM (Feb 18)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Fred W. Noltie Jr. (Feb 19)
- Call to politeness (Re: [HERT] Advisory #002 Buffer overflow in alecm (Feb 19)
- pine 4.10 patches (similar to 4.05) GvS (Feb 20)
- Re: [HERT] Advisory #002 Buffer overflow in lsof M.C.Mar (Feb 20)
- full disclosure and vendor education Antonomasia (Feb 20)
- Re: [HERT] Advisory #002 Buffer overflow in lsof Lamont Granquist (Feb 18)